Author Chris Thorpe | Coliance Technical Director
The Countdown to 90-Day Certificates: Are You Prepared?
In the world of digital security, change is the only constant. The trend for public TLS/SSL certificates has been a steady march towards shorter lifespans, and the next major milestone is on the horizon: a proposed reduction to a maximum validity of just 90 days … some reports say this may reduce further to 47, but for now the proposal is 90.
This isn’t a sudden development but a continuation of a long-term security strategy. If you’ve been managing digital certificates for a while, you’ll remember the gradual drawdown over the years:
- Then: Lifetimes were once as long as three to five years.
- Later: They were reduced to two years.
- Now: The current industry standard, mandated in 2020, is a maximum of 398 days (effectively one year).
- Next: The move to a 90-day maximum is the next logical step in this evolution.
The primary driver behind this change is security. Shorter certificate lifetimes reduce the window of opportunity for a compromised certificate to be exploited by malicious actors. It also encourages—and practically necessitates—the adoption of automated certificate management, a best practice that makes security infrastructure more agile and resilient.
Beyond the Browser: The Impact on AS2 and B2B Systems
While this change directly affects website administrators, its impact is felt far beyond public-facing web servers. Critical business-to-business (B2B) communication protocols, such as AS2 (Applicability Statement 2), rely heavily on digital certificates for encrypting and signing sensitive data exchanged between trading partners.
For many organisations, managing AS2 certificates is a manual process. It involves generating a certificate, sending the public key to a trading partner, and loading their key into your system. With a one-year lifespan, this is a manageable annual task.
However, a 90-day cycle transforms this into a quarterly administrative burden. Failing to update a certificate on time can break the connection with a trading partner, halting the flow of crucial documents like purchase orders and invoices. The risk of business disruption becomes significantly higher.
How to Prepare for the 90-Day Era
The message from the industry is clear: automation is no longer optional. To prepare for this inevitable shift, businesses should:
- Audit Everything: Get a complete inventory of every TLS certificate you use—for web servers, email, VPNs, and especially for B2B protocols like AS2.
- Embrace Automation: Investigate and implement certificate management platforms and protocols like ACME (Automated Certificate Management Environment). Automation eliminates the risk of human error and ensures seamless renewals.
- Communicate with Partners: Start a dialogue with your trading partners about their plans for managing more frequent certificate rotations.
The shift to 90-day certificates is a matter of “when,” not “if.” By taking proactive steps now, you can ensure this security enhancement doesn’t become a disruption for your business operations.
Related Articles
